diff --git a/integration-tests/integrationTestUtils/integrationTestUtils.go b/integration-tests/integrationTestUtils/integrationTestUtils.go index 2d88c1a13a4cd9900e417fb7b567bffc842cf1e4..4c523f5f3d444c6d27138c66de1cde792f0f5521 100644 --- a/integration-tests/integrationTestUtils/integrationTestUtils.go +++ b/integration-tests/integrationTestUtils/integrationTestUtils.go @@ -16,7 +16,7 @@ import ( "google.golang.org/grpc/metadata" ) -func createContextWithAuthorization(loginResponse *rbac.LoginResponse) context.Context { +func CreateContextWithAuthorization(loginResponse *rbac.LoginResponse) context.Context { md := metadata.Pairs("authorize", loginResponse.Token) return metadata.NewOutgoingContext(context.Background(), md) } @@ -35,7 +35,7 @@ func CreateSecureConnection() (*grpc.ClientConn, context.Context, error) { return nil, nil, err } - sessionContext := createContextWithAuthorization(loginResp) + sessionContext := CreateContextWithAuthorization(loginResp) dialOption := grpc.WithTransportCredentials(insecure.NewCredentials()) conn, err := grpc.Dial(controllerUrl, dialOption, grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(100*1024*1024))) diff --git a/integration-tests/rbac_tests/rbac_test.go b/integration-tests/rbac_tests/rbac_test.go index e3d1736c0d2d0ca92a5392014c2b0cc9a1aa65e8..25da0782eec24398c109f9ac0c00fda53031df8e 100644 --- a/integration-tests/rbac_tests/rbac_test.go +++ b/integration-tests/rbac_tests/rbac_test.go @@ -7,7 +7,10 @@ import ( "time" "code.fbi.h-da.de/danet/gosdn/api/go/gosdn/conflict" + mnepb "code.fbi.h-da.de/danet/gosdn/api/go/gosdn/networkelement" apb "code.fbi.h-da.de/danet/gosdn/api/go/gosdn/rbac" + "github.com/sirupsen/logrus" + integration_test_utils "code.fbi.h-da.de/danet/gosdn/integration-tests/integrationTestUtils" "google.golang.org/grpc" ) @@ -141,4 +144,123 @@ func TestUserCreationAndModification(t *testing.T) { } } -// TODO(faseid): wrong user permission test for devices +// TODO(faseid): role creation and modification test! + +func TestUserWithoutPermission(t *testing.T) { + defer integration_test_utils.ApplySDNConfig(conn, ctx, defaultSDNConfig) + + // setup required parameters + const roleName = "peter" + + createUserRequestPreparation := &apb.CreateUsersRequest{ + Timestamp: time.Now().UnixNano(), + User: []*apb.User{ + { + Id: userUUID, + Name: user1NameAndPW, + Roles: map[string]string{pndID: roleName}, + Password: user1NameAndPW, + Metadata: &conflict.Metadata{ + ResourceVersion: 0, + }, + }, + }, + } + + createUserRequestTestCase := &apb.CreateUsersRequest{ + Timestamp: time.Now().UnixNano(), + User: []*apb.User{ + { + Id: "b22c4e46-fa54-4226-8e61-134c895bef5b", + Name: "test", + Roles: map[string]string{pndID: "admin"}, + Password: user1NameAndPW, + Metadata: &conflict.Metadata{ + ResourceVersion: 0, + }, + }, + }, + } + + createRoleRequest := &apb.CreateRolesRequest{ + Timestamp: time.Now().UnixNano(), + Roles: []*apb.Role{ + { + Name: roleName, + Description: "Something that only a peter can do.", + Permissions: []string{ + "/gosdn.rbac.UserService/CreateUsers", + "/gosdn.networkelement.NetworkElementService/GetAllFlattened", + }, + }, + }, + } + + loginRequest := &apb.LoginRequest{ + Timestamp: time.Now().UnixNano(), + Username: user1NameAndPW, + Pwd: user1NameAndPW, + } + + // setup gRPC services + userService := apb.NewUserServiceClient(conn) + roleService := apb.NewRoleServiceClient(conn) + authService := apb.NewAuthServiceClient(conn) + mneService := mnepb.NewNetworkElementServiceClient(conn) + + // create a user and its role + _, err := userService.CreateUsers(ctx, createUserRequestPreparation) + if err != nil { + t.Error(err) + } + + _, err = roleService.CreateRoles(ctx, createRoleRequest) + if err != nil { + t.Error(err) + } + + // login new user + loginResponse, err := authService.Login(context.Background(), loginRequest) + if err != nil { + t.Error(err) + } + + sessionToken := integration_test_utils.CreateContextWithAuthorization(loginResponse) + + // test if user can get all MNE, should fail + _, err = mneService.GetAll(sessionToken, &mnepb.GetAllRequest{ + Timestamp: time.Now().UnixNano(), + Pid: pndID, + }, + ) + if err == nil { + t.Errorf("Error in Test: TestUserWithoutPermission, expected err: sth about permission, got:%v", err) + } + + // test if user can get all flattened MNE, should work + _, err = mneService.GetAllFlattened(sessionToken, &mnepb.GetAllFlattenedRequest{ + Timestamp: time.Now().UnixNano(), + Pid: pndID, + }, + ) + if err != nil { + t.Errorf("Error in Test: TestUserWithoutPermission, expected: nil, got:%v", err) + } + + // test if user1 can create user with admin role, should fail + _, _ = userService.CreateUsers(sessionToken, createUserRequestTestCase) + //TODO(faseid): implement mechanism to stop random user from creating admin user, + // then uncomment test case + // if err == nil { + // t.Errorf("Error in Test: TestUserWithoutPermission, expected err: sth about permission, got:%v", err) + // } + + // test if user1 can create user with random role, should work + createUserRequestTestCase.User[0].Roles[pndID] = "peter 2" + _, err = userService.CreateUsers(sessionToken, createUserRequestTestCase) + if err != nil { + t.Errorf("Error in Test: TestUserWithoutPermission, expected: nil, got:%v", err) + } + + logrus.Info("asf") +}